State AGs can investigate employers behind HIPAA data breaches
- The spotlight might be on international hackers committing security breaches, but employers face other security risks, says SHRM. If an employee with access to another worker’s personal health record puts the information up on the computer’s monitor and leaves it unattended for others to see, a data breach has occurred in violation of the Health Insurance Portability and Accountability Act.
- Employers are subject to HIPAA’s notification rule, which requires that anyone affected by the breach must be notified within a specific time frame. Up until August 2016, the incident described above would not have triggered an investigation by the U.S. Department of Health and Human Services Office of Civil Rights because it affected fewer than 500 people. But on Aug. 18, the OCR announced that it would investigate all data breaches, regardless of size.
- HIPAA allows a state’s attorney general to investigate cases and file charges against organizations that violate the notification rule. This means that an employer undergoing a data breach that it’s investigating could be investigated by the OCR or the state’s attorney general, says SHRM.
Employers must communicate to employees the critical importance of keeping proprietary information private, and that includes HIPAA-protected personal health information as well as high-level company data. Employees need to know the rules and the consequences of data breaches and companies need to enforce them rigorously.
If a data breach occurs involving HIPAA-protected health information, employers should:
- Send a notice to the affected person stating that the data has been seen, or probably seen, no later than 60 days after the incident.
- Send the notice by USPS first-class mail.
- Explain in the notice what happened, when and any other pertinent details.
- Notify HHS of the breach through its website no later than 60 days.